Fighting ignorance since 1973.(It's taking longer than we thought.)

Do fitness trackers pose a privacy risk?

February 17, 2017

Dear Cecil:

I bought a Fitbit for my company's health challenge, and I was surprised to see how it could not only monitor steps but also track sleep, calories, and resting heart rate. This made me wonder what other information about me could be learned from these data. What are the privacy concerns? I don't care if my employer knows I ride my bike 50 miles a week, but could they know if someone was at the bar until 2 AM?

Dennis Hussey

Illustration by Slug Signorino

Cecil replies:

A nosy boss snooping on your off-the-clock peccadilloes may be the least of your worries. Fitness trackers can upload a nearly complete record of where you’ve been and what you’ve been doing during your every waking moment — and then how soundly you slept at night, too. As police and judges recognize the evidentiary value of such data, it’s possible that every step you take can and will be used against you in a court of law. And most of these devices — Fitbit’s the best known, but its competitors are legion — lack some basic security precautions. Even if you’re one of those upstanding nothing-to-hide types, you might not want someone creeping in and tracking your movements, or worse.

Fitbit privacy has been a gradual process for maker and wearers alike. At first, the device’s default settings made your online user profile public. Soon enough, those who hadn’t paid attention to such details discovered that a quick Google search would turn up their Fitbit-measured activity — potentially including their, ahem, most intimate. Now publicly visible data is an opt-in, not an opt-out. Another privacy upgrade was a business necessity: In 2015, Fitbit voluntarily became compliant with the Health Insurance Portability and Accountability Act, the federal law that sets privacy and security requirements for medical info. Though HIPAA doesn’t cover wearable devices (or online health-record storage, at-home paternity tests, or gene-testing companies, for that matter), Fitbit had to adopt its standards anyway in order to partner with corporate wellness programs.

But the big security hole for fitness trackers, according to a study published last year by the Canadian nonprofit Open Effect, is the way the wearable device gets your activity stats online for storage and review — namely via a Bluetooth link with your phone. Fitbit and most other popular wearables broadcast a single, unique Bluetooth address; whenever they’re not actually connected to a mobile device, the report warns, this allows for “long-term tracking of their location.” (The Apple Watch, which emits multiple randomized addresses, evidently does better on this front.) A Bluetooth signal can’t travel far — only about ten meters — but a set of monitors arrayed strategically in a mall could trail you from store to store, whether for overzealous inventory-control purposes or to build a profile of your shopping habits that marketers would pay well for.

Increasingly, law enforcement is also curious about what your Fitbit might have to say. The U.S. Supreme Court says police need a warrant to search your cell phone, so fitness trackers would probably be similarly protected; Fitbit’s privacy policy allows that your data may be disclosed “if we’re required to by law.” But where other tech companies including Google and Facebook regularly issue transparency reports, providing stats like how often the authorities have requested user info and how often the company has complied, Fitbit has yet to adopt such a policy.

And reported on or not, fitness tracker data is finding its way into legal proceedings. In 2015, a woman in Pennsylvania who told police she’d been raped was charged with making a false crime report after the cops found that tracking information from her Fitbit contradicted her story. A cyclists’ tracking app showed that Christopher Bucchere was over the speed limit when he rode his bike through a San Francisco crosswalk in 2012 and killed a 71-year-old pedestrian; he pleaded guilty to felony vehicular manslaughter. On the bright side, you might be able to use fitness stats on your own behalf as well: in a recent Canadian personal-injury case, lawyers for a former personal trainer have sought to introduce Fitbit data to demonstrate their client’s allegedly reduced level of activity following a car accident.

It may seem surprising how quickly insurers and courts are coming to accept tracker data as fact, given what seem to be real limits on the systems’ reliability. Independent studies have found that devices have difficulty consistently measuring heart rates accurately; the FDA announced last summer that it wouldn’t regulate them. And tracker apps are hardly impervious to hacking — about a year ago, e-intruders busted into some Fitbit accounts and tinkered with user names and passwords, apparently hoping to use customer warranties to get replacement devices and sell them. The Open Effect study reports that some other fitness trackers are even more vulnerable, allowing hackers to delete or modify activity data, and you could do the same if you’ve got know-how and lack scruples. Modified heart-rate stats might convince an insurance company you’re a fitter specimen than your doctor might think you are. And a tweaked itinerary? A solid alibi for the cops.